URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 1205
[ Назад ]
Исходное сообщение
"Cisco L2TP IPSEC (DYN-MAP 7,XP,Linux)"
Отправлено inte , 28-Янв-14 11:03 
Всем доброго времени суток.
Есть проблема с пониманием что делаю не так, разъясните где зарыта истина.
Есть тестовая 892 кошка с иосом c890-universalk9-mz.152-4.M5.bin - вроде на сайте циски идет как стабильная. Я , как и многие, столкнулся с кучей типов шифрования.
Пока работает только Windows 7, XP и linux не работают.
Конфиг в части IPSEC, валится у меня на второй фазе, судя по дебагам.
Для XP и Win7 добавил в реестр AssumeUDPEncapsulationContextOnSendRule = 2, так как клиенты за NAT.


crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key test_key address 0.0.0.0         no-xauth
crypto isakmp nat keepalive 1800
crypto isakmp client configuration address-pool local L2TP
!
!
crypto ipsec transform-set W7 esp-aes esp-sha-hmac 
 mode transport
crypto ipsec transform-set XP esp-null esp-md5-hmac  (в идеале здесь использовать  esp-3des esp-sha-hmac но тоже не работает, так как такая же политика есть ниже)
 mode transport
crypto ipsec transform-set LIN esp-3des esp-sha-hmac 
 mode transport
!
!
!
crypto dynamic-map DYN-W7 1
 set nat demux
 set transform-set W7
!
crypto dynamic-map DYN-XP 2
 set nat demux
 set transform-set XP 
!         
crypto dynamic-map DYN-LIN 3
 set nat demux
 set transform-set LIN
!
!
crypto map CRYPTOMAP client configuration address respond
crypto map CRYPTOMAP 1 ipsec-isakmp dynamic DYN-W7
crypto map CRYPTOMAP 2 ipsec-isakmp dynamic DYN-XP 
crypto map CRYPTOMAP 3 ipsec-isakmp dynamic DYN-LIN

XP согласно этой доке должна работать http://support.microsoft.com/kb/325158, так как вроде все правильно...
Вот что прилетает от XP


Jan 28 06:19:35.555: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 
    {esp-null esp-md5-hmac }
Jan 28 06:19:35.555: ISAKMP:(2043): IPSec policy invalidated proposal with error 256
Jan 28 06:19:35.555: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 
    {esp-null esp-sha-hmac }
Jan 28 06:19:35.555: ISAKMP:(2043): IPSec policy invalidated proposal with error 256
Jan 28 06:19:35.555: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 
    {esp-des esp-sha-hmac }
Jan 28 06:19:35.555: ISAKMP:(2043): IPSec policy invalidated proposal with error 256
Jan 28 06:19:35.555: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 
    {esp-3des esp-sha-hmac }
Jan 28 06:19:35.555: ISAKMP:(2043): IPSec policy invalidated proposal with error 256

Собственно какое именно ей шифрование надо, если я все уже перепробовал... Помогите, так как от курения манов циски и windows довело меня до мысли: все настроено правильно, но ведь не работает...

Теперь по линукс...
В общем повлиять на настройки ipsec в Gnome3 NetworkManager - не удается даже с помощью жертв и бубна. Городить XL2TP+STRONGSWAN лень, так как хочется что бы работала удобная кнопочка в соединениях.
Вот что отдает на кривенький плагин


[root@nb intelligent]# cat /run/nm-ipsec-l2tp.9281/ipsec.conf 
version 2.0
config setup
  nat_traversal=yes
  force_keepalive=yes
  protostack=netkey
  keep_alive=60
conn nm-ipsec-l2tpd-9281
  auto=add
  type=transport
  auth=esp
  pfs=no
  authby=secret
  keyingtries=0
  left=чfaultroute
  right=1.1.1.1 (изменил из соображений безопасности)
  esp=3des-sha1
  keyexchange=ike
  ike=3des-sha1-modp1024
  aggrmode=no
  forceencaps=yes

Вот что отдает ike-scan


[root@nb intelligent]# ike-scan 1.1.1.1
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
1.1.1.1    Main Mode Handshake returned HDR=(CKY-R=e47a3f4eb9f69b3e) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)

Опять происходит проблема с согласованием во второй фазе :-(

Jan 28 06:49:15.557: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 1.1.1.1:0, remote= 2.2.2.2:0,
    local_proxy= 1.1.1.1/255.255.255.255/256/0,
    remote_proxy= 2.2.2.2/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Transport-UDP), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Jan 28 06:49:15.557: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 
    {esp-3des esp-sha-hmac }

Вот отрывок лога из линя


Jan 28 10:49:15 nb NetworkManager[526]: <info> Starting VPN service 'l2tp'...
Jan 28 10:49:15 nb NetworkManager[526]: <info> VPN service 'l2tp' started (org.freedesktop.NetworkManager.l2tp), PID 9991
Jan 28 10:49:15 nb NetworkManager[526]: <info> VPN service 'l2tp' appeared; activating connections
Jan 28 10:49:15 nb NetworkManager[526]: <info> VPN plugin state changed: starting (3)
Jan 28 10:49:15 nb NetworkManager[526]: Redirecting to: systemctl stop+start ipsec.service
Jan 28 10:49:15 nb systemd[1]: Stopping Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Jan 28 10:49:15 nb whack[10005]: 002 shutting down
Jan 28 10:49:15 nb systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Jan 28 10:49:15 nb systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Jan 28 10:49:15 nb systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Jan 28 10:49:15 nb NetworkManager[526]: 002 forgetting secrets
Jan 28 10:49:15 nb NetworkManager[526]: 002 loading secrets from "/etc/ipsec.secrets"
Jan 28 10:49:15 nb ipsec_starter[10146]: Warning: ignored obsolete keyword 'force_keepalive'
Jan 28 10:49:15 nb NetworkManager[526]: opening file: /var/run/nm-ipsec-l2tp.9991/ipsec.conf
Jan 28 10:49:15 nb NetworkManager[526]: loading named conns: nm-ipsec-l2tpd-9991
Jan 28 10:49:15 nb NetworkManager[526]: parse_src = 1, parse_gateway = 0, has_dst = 1
Jan 28 10:49:15 nb NetworkManager[526]: dst 1.1.1.1 via 192.168.0.244 dev enp0s25 src 192.168.0.111
Jan 28 10:49:15 nb NetworkManager[526]: set addr: 192.168.0.111
Jan 28 10:49:40 nb NetworkManager[526]: <info> VPN connection 'ALEXHOME L2TP' (Connect) reply received.
Jan 28 10:49:40 nb NetworkManager[526]: <warn> VPN connection 'ALEXHOME L2TP' failed to connect: 'Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.'.
Jan 28 10:49:40 nb NetworkManager[526]: <info> Policy set 'DHCP' (enp0s25) as default for IPv4 routing and DNS.
Jan 28 10:50:05 nb NetworkManager[526]: <warn> error disconnecting VPN: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Jan 28 10:50:07 nb NetworkManager[526]: <info> VPN service 'l2tp' disappeared
Jan 28 10:50:25 nb NetworkManager[526]: 002 "nm-ipsec-l2tpd-9991" #1: initiating Main Mode
Jan 28 10:50:25 nb NetworkManager[526]: 104 "nm-ipsec-l2tpd-9991" #1: STATE_MAIN_I1: initiate
Jan 28 10:50:25 nb NetworkManager[526]: 003 "nm-ipsec-l2tpd-9991" #1: received Vendor ID payload [RFC 3947]
Jan 28 10:50:25 nb NetworkManager[526]: 002 "nm-ipsec-l2tpd-9991" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jan 28 10:50:25 nb NetworkManager[526]: 002 "nm-ipsec-l2tpd-9991" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan 28 10:50:25 nb NetworkManager[526]: 106 "nm-ipsec-l2tpd-9991" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jan 28 10:50:25 nb NetworkManager[526]: 003 "nm-ipsec-l2tpd-9991" #1: received Vendor ID payload [Cisco-Unity]
Jan 28 10:50:25 nb NetworkManager[526]: 003 "nm-ipsec-l2tpd-9991" #1: received Vendor ID payload [Dead Peer Detection]
Jan 28 10:50:25 nb NetworkManager[526]: 003 "nm-ipsec-l2tpd-9991" #1: ignoring unknown Vendor ID payload [11bd9853cfcd52f8eaf31e68c34ac086]
Jan 28 10:50:25 nb NetworkManager[526]: 003 "nm-ipsec-l2tpd-9991" #1: received Vendor ID payload [XAUTH]
Jan 28 10:50:25 nb NetworkManager[526]: 003 "nm-ipsec-l2tpd-9991" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Jan 28 10:50:25 nb NetworkManager[526]: 002 "nm-ipsec-l2tpd-9991" #1: Not sending INITIAL_CONTACT
Jan 28 10:50:25 nb NetworkManager[526]: 002 "nm-ipsec-l2tpd-9991" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 28 10:50:25 nb NetworkManager[526]: 108 "nm-ipsec-l2tpd-9991" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jan 28 10:50:25 nb NetworkManager[526]: 002 "nm-ipsec-l2tpd-9991" #1: Main mode peer ID is ID_IPV4_ADDR: '1.1.1.1'
Jan 28 10:50:25 nb NetworkManager[526]: 002 "nm-ipsec-l2tpd-9991" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jan 28 10:50:25 nb NetworkManager[526]: 004 "nm-ipsec-l2tpd-9991" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Jan 28 10:50:25 nb NetworkManager[526]: 002 "nm-ipsec-l2tpd-9991" #2: initiating Quick Mode PSK+ENCRYPT+UP+IKEv2ALLOW+SAREFTRACK+IKE_FRAG {using isakmp#1 msgid:80e3f288 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=no-pfs}
Jan 28 10:50:25 nb NetworkManager[526]: 117 "nm-ipsec-l2tpd-9991" #2: STATE_QUICK_I1: initiate
Jan 28 10:50:25 nb NetworkManager[526]: 010 "nm-ipsec-l2tpd-9991" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
Jan 28 10:50:25 nb NetworkManager[526]: 010 "nm-ipsec-l2tpd-9991" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
Jan 28 10:50:25 nb NetworkManager[526]: 031 "nm-ipsec-l2tpd-9991" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jan 28 10:50:25 nb NetworkManager[526]: 000 "nm-ipsec-l2tpd-9991" #2: starting keying attempt 2 of an unlimited number, but releasing whack
Jan 28 10:51:10 nb gnome-session[997]: [3386:3472:0128/105110:ERROR:download.cc(330)] PostClientToServerMessage() failed during GetUpdates

В общем выручайте, хорошие ссылки на маны приветствуются, но лучше указать на место где подправить конфиг или что конкретно не правильно настроено.

Содержание
Сообщения в этом обсуждении
"Cisco L2TP IPSEC (DYN-MAP 7,XP,Linux)"
Отправлено inte , 28-Янв-14 15:23 
Как всегда, читать блин надо внимательно...

Рабочая конструкция для XP и W7


crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key test_key address 0.0.0.0         no-xauth
crypto isakmp nat keepalive 1800
crypto isakmp client configuration address-pool local L2TP
!
!
crypto ipsec transform-set W7 esp-aes esp-sha-hmac 
 mode transport
crypto ipsec transform-set XP esp-3des esp-sha-hmac  
 mode transport
!
!
crypto dynamic-map DYN 1
 set nat demux
 set transform-set W7 XP
!
!
crypto map CRYPTOMAP client configuration address respond
crypto map CRYPTOMAP 1 ipsec-isakmp dynamic DYN

C Linux проблема не ушла :-( Все те же проблемы.

"Cisco L2TP IPSEC (DYN-MAP 7,XP,Linux)"
Отправлено inte , 28-Янв-14 17:00 
Ещё логи с циски при попытке подключится из линя

Jan 28 16:50:00 cisco 718: Jan 28 12:51:40.419: ISAKMP (2067): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE      
Jan 28 16:50:00 cisco 719: Jan 28 12:51:40.419: ISAKMP:(2067):deleting node -541694105 error FALSE reason "QM done (await)"
Jan 28 16:50:01 cisco 720: Jan 28 12:51:40.419: ISAKMP:(2067):Node 3753273191, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jan 28 16:50:01 cisco 721: Jan 28 12:51:40.419: ISAKMP:(2067):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
Jan 28 16:50:01 cisco 722: Jan 28 12:51:40.419: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jan 28 16:50:01 cisco 723: Jan 28 12:51:40.419: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jan 28 16:50:01 cisco 724: Jan 28 12:51:40.419: IPSEC: Expand action denied, notify RP
Jan 28 16:50:07 cisco 725: Jan 28 12:51:46.431: %L2TP-3-ILLEGAL: _____:________: ERROR: remote id returned an invalid l2tp_cc, cc_id = 12606, remote_port = 0, remote_ip = 2.2.2.2
Jan 28 16:50:07 cisco 726: -Traceback= 823530F4z 8411A224z 8411A3D0z 8411A5B0z 841175F8z 8410AD04z 8412C1B8z 84125184z 841252D8z 8186B708z 818519F0z
Jan 28 16:50:08 cisco 727: Jan 28 12:51:47.431: %L2TP-3-ILLEGAL: _____:________: ERROR: remote id returned an invalid l2tp_cc, cc_id = 12606, remote_port = 0, remote_ip = 2.2.2.2
Jan 28 16:50:08 cisco 728: -Traceback= 823530F4z 8411A224z 8411A3D0z 8411A5B0z 841175F8z 8410AD04z 8412C1B8z 84125184z 841252D8z 8186B708z 818519F0z
Jan 28 16:50:09 cisco 729: Jan 28 12:51:48.431: %L2TP-3-ILLEGAL: _____:________: ERROR: remote id returned an invalid l2tp_cc, cc_id = 12606, remote_port = 0, remote_ip = 2.2.2.2
Jan 28 16:50:09 cisco 730: -Traceback= 823530F4z 8411A224z 8411A3D0z 8411A5B0z 841175F8z 8410AD04z 8412C1B8z 84125184z 841252D8z 8186B708z 818519F0z
Jan 28 16:50:10 cisco 731: Jan 28 12:51:49.431: %L2TP-3-ILLEGAL: _____:________: ERROR: remote id returned an invalid l2tp_cc, cc_id = 12606, remote_port = 0, remote_ip = 2.2.2.2
Jan 28 16:50:10 cisco 732: -Traceback= 823530F4z 8411A224z 8411A3D0z 8411A5B0z 841175F8z 8410AD04z 8412C1B8z 84125184z 841252D8z 8186B708z 818519F0z
Jan 28 16:50:24 cisco 733: Jan 28 12:52:03.436: ISAKMP:(2066):purging node 1

Фаза вторая прошла, а дальше белиберда какая началась... Вообще не втыкаю что это за ошибка такая. ERROR: remote id returned an invalid l2tp_cc

"Cisco L2TP IPSEC (DYN-MAP 7,XP,Linux)"
Отправлено inte , 29-Янв-14 09:54 
Все проблемы решил.

Пришлось заливать последний иос что бы избавится от ERROR и вот эту одну опцию добавить...

crypto ipsec security-association replay disable

Теперь все три операционки пашут :-)